Skip to content

fix(reusable-trivy): sparse-checkout .trivyignore for the image scan gate#47

Merged
zircote merged 2 commits into
mainfrom
fix/trivy-image-checkout-ignorefile
Jul 3, 2026
Merged

fix(reusable-trivy): sparse-checkout .trivyignore for the image scan gate#47
zircote merged 2 commits into
mainfrom
fix/trivy-image-checkout-ignorefile

Conversation

@zircote

@zircote zircote commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Summary

The image job in reusable-trivy.yml runs a fail-closed Trivy image scan (exit-code: 1) but never checks out the caller repository. Trivy's default .trivyignore auto-discovery, which the image scan type honors the same as fs scans, therefore has nothing to find. A repository has no way to document an accepted, unfixable base-image CVE without the gate blocking every future push indefinitely.

This PR adds a sparse checkout of .trivyignore before the scan step (not a full checkout, so a caller's root-level trivy.yaml does not also get silently auto-loaded and coupled to this unrelated image gate; that gap surfaced in local review before this PR was opened). I verified the fix locally against the image that is currently failing (mif-rs's mif-cli, digest sha256:4ac7813...) using the real trivy CLI: --ignorefile .trivyignore --severity HIGH,CRITICAL --exit-code 1 goes from exit 1 (four unfixed glibc CVEs) to exit 0 once a .trivyignore file is present.

Note on PR #45

fix/reusable-trivy-ghcr-auth (#45) inserts a step at the same location in the same job, immediately after steps: and before the Trivy scan step. Whichever PR merges second will hit a trivial textual conflict. Resolve by keeping both new steps; the GHCR login and the .trivyignore checkout are independent, so their relative order does not matter.

Test plan

  • actionlint passes clean on the modified workflow file
  • Verified locally with the trivy CLI against the real failing image digest: exit code moves from 1 to 0 once .trivyignore is present, reproducing this step's effect
  • Confirmed the change is a no-op for callers without a .trivyignore (a sparse checkout of a nonexistent path is silent; Trivy's behavior is unchanged)
  • CI run on this PR itself (this repository has no image-ref caller to exercise the job directly; verified instead through the downstream mif-rs companion PR)

…gate

The image job's fail-closed Trivy scan never checked out the caller
repo, so Trivy's own default .trivyignore auto-discovery (which the
image scan type honors just like fs scans) had nothing to find. A
repo had no way to document an accepted, unfixable base-image CVE
(e.g. a Debian <no-dsa> glibc issue) without the gate blocking every
future push indefinitely.

Sparse-checkout only .trivyignore, not a full checkout, so this
doesn't also pull in a caller's root-level trivy.yaml and silently
couple that fs/license-scan config to this unrelated image gate.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Improves the reusable Trivy image scan gate by ensuring Trivy can discover a caller repository’s .trivyignore without performing a full repo checkout (avoiding unintended auto-loading of repo-level trivy.yaml config during image scans).

Changes:

  • Adds a sparse checkout step that fetches only the caller repo’s root .trivyignore prior to the Trivy image scan.
  • Documents the rationale for sparse checkout (enable .trivyignore discovery while avoiding config coupling).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/reusable-trivy.yml Outdated
@zircote zircote force-pushed the fix/trivy-image-checkout-ignorefile branch from c8d589d to 97290c8 Compare July 3, 2026 00:52
@zircote zircote marked this pull request as ready for review July 3, 2026 00:53
The referenced iac-license job comment precedes the image job in this
file, not follows it. Flagged by Copilot review on PR #47.
@zircote zircote merged commit 7c56346 into main Jul 3, 2026
7 checks passed
@zircote zircote deleted the fix/trivy-image-checkout-ignorefile branch July 3, 2026 00:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants